What is The Difference Between Locally Administered and Universally Administered MAC Addresses?

Published on Fri, May 09, 2025 | 5 days ago
What is The Difference Between Locally Administered and Universally Administered MAC Addresses?

Networking is one of the core technologies used in the 21st century. It allows people to access the internet and connect to other devices with ease. The internet has become such a core part of our daily lives that it is now considered a necessity rather than a luxury. Entire industries now use remote working, which is only possible due to the proliferation of the internet.

One of the important aspects of networking is MAC addresses. They have an important role in establishing network connections, privacy, and security. 

MAC addresses can be permanent or temporary. This distinction is necessary for network security and device privacy. Let’s learn more about it in detail.

What is a MAC Address? How Is It Used For Tracking?

A MAC address is a special identifier assigned to a device. This identifier is 12 digits long and uses hexadecimal notation. The numbers in a MAC address are written in pairs of two, known as an octet (because it is 8 bits). 

Here’s what a typical MAC address looks like.

40-A8-F0-4F-50-9E

Now, a MAC address has further demarcations. 

  • The first six digits are called the OUI number. OUI stands for Organizational Unique Identifier. In the given example, the OUI number is “40-A8-4F”. 
  • The last six digits are called the serial number. 

The OUI number identifies which organization assigned that MAC address to the device. An OUI number will typically be the same for all devices whose address was assigned by one vendor. 

The serial number is used to identify the exact device in a network (assuming all devices have the same OUI). 

How Is a MAC Address Used for Tracking?

A MAC address is typically not shared on the public internet. It is only used inside local networks for device ID and communication. 

However, there is one instance where a MAC address is shared in a semi-public setting: connecting to a WiFi access point.

Here’s how that happens. 

  • When a device wants to connect to a WiFi access point, it sends out a request for connection.
  • This request contains the MAC address of the device. 
  • Now, if the password is correct, the access point will allow the device to connect.
  • It will also “log” the MAC address.

Now, any network admin who can check those logs will know the MAC address of the connecting device. So, how does this help with tracking?

Well, in large shopping malls where various shops provide free WiFi to their customers, mall owners can track people traveling between different shops and areas based on which access points their devices connect to. 

They will see the same MAC address popping up in the logs of various access points, and that data can help them find out which shops a device went to and what path it took to get there. 

This data is complemented with other methods of tracking to create customer profiles, which are used for marketing and improving conversions.

This is why having a method to fake your MAC address is required, as it prevents you from getting tracked. This is where temporary and permanent MAC addresses come into play. The technical terms for them are Locally Administered Address (LAA) and Universally Administered Address (UAA), respectively. Let’s learn more about them and their role in preventing tracking. 

What is A Universally Administered MAC Address (UAA)?

A UAA is your typical MAC address assigned by a vendor. It has the following properties.

  • It is assigned by a registered vendor
  • It is tied to the device’s hardware: to the network interface card (NIC)
  • Because the UAA is tied to a piece of hardware, it cannot be changed unless the NIC is replaced completely. 
  • It is not shared on the internet, but is shared with an access point when attempting to connect. 
  • All UAAs have Bit 1 of the first byte set to 0. This means that if you translate the first octet to binary, the first bit will be 0.
  • UAAs are typically used in MAC filtering and device identification.
  • All UAAs have a record in the IEEE database for their OUI number. So, if you do a MAC Address lookup and you get a valid output, it means the UAA was registered in the IEEE database.

MAC Address Lookup tools access the IEEE database to find out which vendor an OUI number belongs to. The very same database also provides other information related to it. The point is that if you can find a MAC address in that database, you can be sure that the address was assigned by a registered vendor. 

What is a Locally Administered MAC Address (LAA)?

An LAA is a MAC address that was not assigned by a vendor. It is typically generated artificially via a tool such as a MAC address generator or by the operating system of a device.

Here are the defining properties of an LAA.

  • Software defined and not tied to any hardware
  • Can be changed as you please.
  • The first byte of bit 1 is set to 1. 
  • Does not have a record in the IEEE database.

Due to that last point, if you try to do an OUI/Vendor lookup on an LAA, you will get the output “No Record Found.”

LAAs are used for various reasons. They are used in MAC Address Randomization in Android and iOS systems. MAC randomization essentially utilizes a unique Local Area Address (LAA) for every WiFi access point, which is how it prevents tracking of your device via MAC addresses.

LAAs have many uses that we will discuss in a later section. For now, let’s move on to how you can differentiate between UAAs and LAAs. 

How to Check If a MAC Address is UAA or LAA?

At a glance, both UAAs and LAAs look the same. Nobody has time to do a binary conversion to check the first bit and see if it is 1 or 0. It is also an inconvenient approach.

Here’s a more appropriate method.

  • Open a web browser.
  • Enter the following URL in the address bar: “https://macaddresslookup.io/” 
  • Input the MAC address in the input box.
  • Select “Search by MAC.”
  • Click/tap “Search”

If the output is valid and you get the OUI information and MAC history, the address is a valid UAA. Instead, if you get a “Record Not Found”, that means the address was generated and is most likely an LAA.

There is another trick to identify LAAs, but it only works for Android and iOS systems. The trick is to look at the 2nd digit of the first octet. If it is 2, 6, A, or E, then the MAC address is an LAA. You can read more about why this is the case here.

What Are LAAs Used For?

LAAs have plenty of security and privacy use cases. We already saw how they can prevent device tracking between different WiFi networks with MAC address randomization. But they can do more than that. Let’s take a look. 

  • Virtual Machine (VM) networking

Virtualization platforms like VMware, VirtualBox, Hyper-V, and others often need to assign unique MAC addresses to multiple virtual machines (VMs) running on the same physical host. Since they’re not manufacturing physical NICs, they use LAAs.

How it works:

  • The hypervisor (software that controls VMs) generates a unique MAC address for each virtual machine.
  • These addresses have the locally administered bit set to differentiate them from hardware-assigned ones.
  • This ensures no conflict with real, manufacturer-assigned MACs.

So, LAAs allow virtual machines to network without causing hardware conflicts.

  • MAC Spoofing

MAC spoofing is the act of changing a device's MAC address to something other than its original hardware-based one. It's commonly used for improving privacy by preventing MAC address tracking.

How it works:

  • A user or script modifies the MAC address via software tools or OS commands.
  • The new MAC is typically an LAA, since the local bit must be set for the OS to accept the change.
  • Tools like “macchanger” (Linux), built-in commands on macOS (ifconfig), and Windows registry edits allow this.

MAC spoofing is not illegal in itself. However, bad actors use it maliciously to conduct other types of cyberattacks and evade detection. At the same time, it is also used in network security testing, as you will soon see. 

  • Security testing

Security professionals and ethical hackers use LAAs during network auditing and penetration testing to simulate unauthorized or unexpected behavior in a controlled environment.

Here’s what they use LAAs for.

  • A pen tester can spoof MAC addresses to see how the network responds. The spoofed address is often an LAA
  • Using LAAs allows the tester to:
    • Bypass MAC-based restrictions or detection systems.
    • Simulate rogue devices entering the network.
    • Test how access control lists (ACLs) and DHCP servers react to new or changing clients.

So, there you have it, some legitimate uses of LAAs.

Conclusion

Now, you should know the differences between LAAs and UAAs. A UAA is the default MAC address assigned to a device’s NIC by a vendor. LAAs, on the other hand, are generated artificially and used for running VMs, improving privacy, and security testing.

Knowing the difference between them is necessary if you are a network admin and want to ensure that your network devices are secure. Now, you should have no problem differentiating between LAAs and UAAs.

popular_posts
How Hackers Use MAC Spoofing and How to Prevent It
How Hackers Use MAC Spoofing and How to Prevent It